If you’re looking for a way to safely and easily access the internet from either your smart phone, laptop or any other device from an untrusted network like some Hotel’s wifi or a restaurant’s. The answer to that question is a virtual private network (VPN) that gives you the ability to roam untrusted networks quite securely and privately like you were on a private and secure network. The traffic then comes out and makes it way to the required destination.
Combining this setup with HTTPS connections lets you secure the wireless logins and the transactions that you make. One can also jump past all the geographical restrictions, censorships, shield their location and the unencrypted HTTP traffic from the network that is not trusted.
OpenVPN is an open source, fully featured SSL (Secure Socket Layer) VPN answer that comprises on a vast range of configurations. This article will explain to you the way to set up in OpenVPN server on a Droplet and then change access to it from a different operating system like Windows, OS X, iOS or Android. The article will keep configuration and installation process as simple as it can be for these setups.
The only thing that you need beforehand is to have Ubuntu 14.04 Droplet up and running. You will need root access to complete the rest of the article.
Step 1 (Install and Configure the Environment of OpenVPN Server)
To setup the Server Side for your OpenVPN you need to complete the following step.
We need to update Ubuntu’s repository lists before we install any packages.
After doing so we can install Easy-RSA and OpenVPN.
The file VPN server configuration must be extracted to /etc/openvpn so that we can add this to our setup. One single command can be used to do this.
gunzip –c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/server.conf
So when this has been extracted we must open server.conf in text editor. We will edit this by using Vim but you can use whichever text editor you want to.
There are a number of changes to be made. You will see a section like this:
Edit dh1024.pem to dh2048.pem
Doing this will multiply the RSA key length to twice its original size while generating server and client keys.
Stay inside server.conf and look for this section
Remove the comment push “redirect-gateway defl bypass-dhcp”. By doing this, the VPN server passes on clients’ web traffic to is required destination.
The next edit to be done here:
Remove the comments so that the last two lines of the above section look like this:
This will tell the server too push OpenDNS to the clients that are connected for DNS resolution wherever possible. This will help prevent the leakage off DNS requests outside the VPN connection. It is also necessary to mention the desired DNS resolvers in client devices too. Although OpenDNS is by default used by OpenVPN but you can use whichever DBS services you like.
The last area to edit in server.conf is:
Remove the comments from the last two lines of the section above so they may look as such:
OpenVPN runs root user by default and in turn has full access to the system. OpenVPN will be restricted by us to just user nobody and group nogroup. This user has no ability to login and is simply just an unprivileged user. This user is also kept to run untrusted applications like web-facing servers.
Changes must be saved and Vim must be closed now.
This setting is a sysctl setting and what it does is that it tells the server’s kernel to send the traffic from the client devices out through the internet. If not done so, the traffic will stop at the server. Packet forwarding should be enabled at runtime by this command:
This should be made permanent so that the server may still forward traffic after the system reboots.
At the top of the sysctl file, there will be:
Uncomment net.ipv4.ip_forward. It should be like:
Save what changes you have made and then exit.
Uncomplicated Firewall (ufw)
It’s a front end for iptables and setting it up is quite easy. It’s already present in Ubuntu 14.0.4 by default so all we have to do is configure some settings and rules and just switch the firewall on.
Firstly set ufw to all SSH. In the command prompt ENTER :
This article will use OpenVPN instead of UDP, ufw must be set such as to allow UDP traffic over port 1194.
Now we have to set ufw forwarding policy. We’ll edit ufw’s primary file for this.
Look for DEFAULT_FORWARD_POLICY=”DROP” and change it to DEFAULT_FORWARD_POLICY=”ACCEPT”.
After doing this we will add some more rules for translation of network address and masquerading IPs of clients that are connected.
Now make the top of the before.rules file look like it is below. The area in red for OPENVPN RULES will be added next:
After the changes have been made, we can enable it. Go to command prompt:
Doing so will return this prompt:
Answer y. The result will then be:
Now we’ll check ufw’s firewall status:
Entering this command should return something like this:
Step 2 – Creating A Certificate Authority and Server-Side Certificate And Key
Certificates are used by OpenVPN to encrypt files.
Configuring and Building the Certificate Authority
Now it’s time to generate our own Certificate Authority (CA) and generate certificates and keys for the OpenVPN server. Bidirectional Authentication is supported based on certificated is supported by OpenVPN which means that the client and the server must authenticate the certificate before trust is mutually established between them. To do this we will use Easy RSA’s scripts that we copied earlier.
Firstly we copy the Easy RSA generation scripts.
Then the key storage directory should be made:
There is a variables file that can be edited to create certificates exclusive to our business, person or whatever entity of our choice. This information will be copied to the keys and the certificates, later helping in identifying keys.
The variables that are marked below in red should be changed so to what you prefer.
In the very same vars file we also need to edit this one single line below. Just for the sake of simplicity we are using server as the key name. If you intend to use a different name then you’re going to need to update the OpenVPN configuration files that reference server.key and server.crt.
Now we’ll me changing directories so that we can work directly out of where we moved the Easy RSA’s scripts to in STEP 2.
Now we’ll be initializing the Public Key Infrastructure. Special attention is needed to be paid to the dot (.) and the space in front of. /vars command. This tells the current directory where we’re working.
The output that is generated form the above command is shown below. There is nothing yet that has been generated y us in the keys directory so the warning is nothing to get alarmed about.
Now we’ll make way for our new keys by clearing out all the old or possibly any existing keys that may be there in the directory:
This last command invokes an interactive OpenSSL command and builds the certificate authority (CA). The output will ask you to confirm the variables that were entered before into the Easy RSA variable file.
Just press ENTER to pass through every prompt. If you feel like something should be changed then you can do that from within the prompt.
Generate a Certificate and Key for the Server
We’re still working form /etc/openvpn/easy-rsa , now enter the command to build the key for the server. The server marked in red is the export KEY_NAME variable that we set in Easy RSA’s vars file in STEP 2.
Same output is generated when we have the command. /build-ca , you can press ENTER again to confirm every line of the distinguished name. This time however you’ll see two addition prompts:
Both spaces should be left blank, just press ENTER to skip each one.
Two queries at the end require a positive (y) response:
Lastly the above prompt should complete with:
Move the Server Certificate and Keys
OpenVPN is set by default to see the certificate, keys and the server’s CA in /etc/openvpn. Now we need to copy the required files into the proper location so that OpenVPN can easily access the files for further usage.
If your copy was successful, you can verify it by:
Now you should see the certificate and key files to the server in the desired location.
Currently at this stage, the OpenVPN is up and ready to go. You should now start t and check the status.
The command that you should see in return would be like this:
Congratulations! You have successfully configured your OpenVPN server and it should be operational. If for some reason the status message says that the VPN is not running then you should take a closer look at your /var/log/syslog file for any bugs or errors such as:
He error mentioned above indicates that server.key was not yet copied into /etc/openvpn correctly. You need to re-copy the file again to the directory and follow the procedure to try again and convert your OpenVPN to its operational state.
Step 3 – Generate Certificates and Keys for Clients
Up till now we have installed and configured the OpenVPN server. We created a Certificate Authority and created a certificate and keys just for the server. This step tells us how we use the server’s CA to make certificates and keys for every client device that is going to be connected to the VPN. All of these files will then be installed on to the client devices such as smartphones or laptops later on.
Key and Certificate Building
Ideally its required that each client connecting to the VPN have its own certificate and key. This is preferred to generating a general certificate and key for all the clients that are connected to the VPN.
It should be noted that OpenVPN by default does not allow connections from clients using the same certificate and key to the server simultaneously.
This step should be completed if you intend to create separate authentication credentials for each device that is to be connected to the VPN. Change the name client1 under to something different like client2 or iphone2. If we give every device its separate credentials then it can be individually deactivated at the server side when needed. The rest of the article shall use client1 as the example client device’s name.
Now we’re going to build a key for the client1 as we did for the server. The working directory that you should be in is /etc/openvpn/easy-rsa .
As with the case of the server you’ll be asked again to confirm or change the distinguished name variables and just like before these two should be left blank. Press ENTER to accept the default settings.
Just like before, these two confirmations will need a (y) response at the end of the build process:
If the key build succeeds then the output just like before will be:
The example client configuration needs to be copied to the Easy-RSA key directory. This example configuration file shall be used as a template that will be downloaded to the client devices and then be edited. While copying we’ll be changing the name of the example file form client.conf to client.ovpn because the .ovpn is the extension that all the clients will expect to use.
cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/easy-rsa/keys/client.ovpn
This section can be repeated for each client by replacing client1 with the right client name.
Transferring Certificates and Keys to Client Devices
Remember from the steps above that we created the keys and certificates and the directory in which we stored them after they were made was /etc/openvpn/easy-rsa/keys.
For every client connected we must transfer the client profile template, certificate and key files to a folder either on our local computer or another client device.
In this article the client1 device requires its keys and certificate that are located on the server in:
The ca.crt and client.ovpn for all the clients stay exactly the same. These two files should also be downloaded. It should be noted that the ca.crt file is located in a different directory than others.
The applications that are used to complete this transfer will solely depend on the choice that you make and the operating system on the device. You want the application to use SFTP (SSH file transfer protocol) or SCP (Secure copy protocol) on the backend. This will be useful as it will copy all the client’s VPN authentication files over an encrypted connection.
At the end you must check if the following four files are present on your client device:
Step 4 – Creating a Unified OpenVPN Profile for Client Devices
There are a number of methods that can be used to manage the client files but the easiest one is using a unified profile. This is done by editing the client.ovpn template file and including in it the server’s CA and the client’s key and certificate. Once all the files are merged in to one then only this single client.ovpn is needed to be imported in the client’s OpenVPN application.
What we will do is that we will create a single profile for our client1 device on the computer to which we downloaded all the client files. This computer can itself be either a client or just another temporary work area to merge the authentication files. The client.ovpn template file should be renamed and duplicated. The ‘how you do this’ depends upon the operating system of your local computer.
It should be noted that the name of the client.ovpn duplicated file need not be related to the client device. The OpenVPN application on the client-side will use the file name as an identifier for the VPN connection itself. What you should do is that you should duplicate client.ovpn to whatever nametag you want the VPN to be in your operating system.
In this article we shall name the connection GeekEasier so GeekEasier.ovpn shall be the file name used from now on. Once it is named then we must open GeekEasier.ovpn in a text editor. You can use whichever text editor you prefer to use.
The first area which you need to pay attention to is the IP address of your droplet. Almost near to the top of the file, we need to change my-server-1 to your VPN’s IP.
After doing this we need to find the area that is shown below and then uncomment user nobody and user nogroup just like we did before in server.conf in STEP 1. This should be noted that this does not apply to the Windows operating system so you can skip it. It should like down below:
The area that is below needs the three lines shown to be commented so that we can instead include the key and certificate directly in the GeekEasier.ovpn file. After you’re done it should look like this:
Now we need to merge all the individual files into one single unified file. The contents of the ca.crt, client1.crt, and client1.key are pasted directly into the .ovpn profile using the XML-like syntax. The XML at the end should take this form:
Once finished the end of the file should be the same as this abbreviated example:
The client1.crt has a bit of extra information in it and it’s totally fine to just add the file.
Save the changes that you have made and exit. We now have a unified OpenVPN client profile to configure our client1 with.
Step 5 – Installing the Client Profile
The thing that needs to be discussed now is how to install a client VPN profile on Android, iOS, OS X, and Windows. All of these client instructions are independent of others so you can skip to whichever one applies to you.
This should be remembered that the connection will be called by the same name that you named the .ovpn file. In our example since the file name was GeekEasier.ovpn so the connection will be called GeekEasier.
The OpenVPN client application for Windows can be downloaded from OpenVPN’s Downloads page. You have to choose the right version from the website for your Windows.
This should be noted that administrative rights are required to install OpenVPN on Windows.
After you have installed OpenVPN, copy the unified GeekEasier.ovpn profile to:
When you open OpenVPN then it will automatically see the profile and make it available.
OpenVPN requires that it be run as an administrator each time it is to be used even by the administrative accounts. Now to save the hassle of having to right-click and selecting Run as administrator every time you use VPN, you can preset this but the condition is that it must be done from an administrator account. This means that standard users need to enter the admin password to use OpenVPN. But if standard users do not have administrative rights then OpenVPN cannot connect to the server properly thus administrative privileges are quite necessary.
To set the OpenVPN application to always run as the administrator just right-click on the shortcut icon and go to Properties. At the bottom of the Compatibility tab there will a button saying Change settings for all users, click on it. A new window will open; check the Run this program as an administrator box.
Every time that you launch the OpenVPN GUI, Windows will ask you whether you want this progam to make changes to your computer or not. Click Yes. Executing the OpenVPN client application just puts the applet in the system tray so that the VPN can be connected and disconnected when needed but it does not make a VPN connection per se.
Now that you have started OpenVPN, make a connection by moving the cursor down to the system tray applet and then by right-clicking on the applet icon of OpenVPN present there. Doing so will open the context menu. Select GeekEasier from the top of the menu which is basically our GeekEasier.ovpn profile and Connect to it.
There is an open source VPN client for Mac OS X known as Tunnelblick. To download the latest disk image of this client just go to Tunnelblick Downloads page. After it has been downloaded, double click on the .dmg file and follow the steps to install.
Almost near to the end of the installation process, Tunnelblick will ask you whether you have any configuration files or not. Answering it as No is easier and then it will finish. We have to add the client profiles and to do that we must open a finder window and then double click on GeekEasier.ovpn. To install the client profile we need administrative rights.
Launch the Tunnelblick by double-clicking on Tunnelblick in the Applications folder. Once you have launched Tunnelblick, you will now be able to see a Tunnelblick icon in the menu bar at the top right of the screen that is used for controlling connections. Click on the icon, when the Connect menu opens you need to select the right connection. Select GeekEasier and connect to the VPN.
We need to go to the iTunes App Store and search for and install OpenVPN Connect, the official iOS OpenVPN client application. Now we need to transfer our iOS client profile onto the device and to that we must connect the iOS device directly to the computer.
Completing the transfer will be outlined here. From the computer open iTunes and click iPhone>apps. To the bottom of the File Sharing section click on the Open VPN app. The window to the right is blank, it is OpenVPN Documents and is used for sharing files. Now drage the .ovpn dile to the OpenVPN documents window.
Now all you have to do is launch the app on the iPhone. You will get a notification that a new profile is ready to be imported. Tap the plus sign in green to import it.
Now the OpenVPN app is ready to use with the new profile. The connection can be started by moving/sliding the Connect button to On position. If you want to disconnect it then move/slide the button to Off position.
It should be noted that the VPN button in the Settings can never be used to connect to the VPN. If you try to do so, you will get a notice to connect to the OpenVPN app.
For android all we need to do is that we need to open Google Play Store. Search for Android OpenVPN and install the official Android client application.
Copying the .ovpn file is not that hard. All we need to do is that we need to connect out Android device to the computer and then copy the file over to it. Similarly if you have a SD card reader, you can simply remove the memory card from the devoce and copy the .ovpn file onto it and then put the card back into the device.
Now you will start the OpenVPN application and go to the menu to import the profile.
Then go to the location where the profile has been saved. The screenshot uses the SD card location (/sdcard/download/ ) and from there select the file. The application will note that the profile has been imported.
For connecting to the VPN just tap the Connect button. The application will prompt to ask whether you trust the OpenVPN application. Tap OK to start the connection. If you want to disconnect from the VPN, just go back to the OpenVPN application and choose Disconnect.
Step 6 – Testing Your VPN Connection
Once you have installed everything, a simple check can be made to tell whether everything is working properly or not. Without enabling a VPN connection, open a browser and go to DNSLeakTest.
The website will return you an IP address that is assigned to you by your ISP (Internet Service provider) and also as you seem to the entire world as well. If you want to check your DNS stings from the same website, click on Extended Test and it will tell you which DNS server is being used by you.
Now you will connect the OpenVPN client to the Droplet’s VPN and then refresh your browser. Now an IP address should appear that will be completely different from the one that was shown earlier. Now the entire world will recognize you by this IP address. Now again, DNSLeakTest’s Extended Test will check your DNS settings and then later confirm if you are now using the DNS resolvers pushed by your VPN.
Congratulations to you! You can now securely traverse the internet protecting your cyber identity, location and traffic from censors and snoopers.